I have an ubuntu server somewhere at the other side of Europe. it's behind a tp link router.
that router has dmz on for that server. I can acces that router remotely via a specific port (so it doesn't interfere with the server otherwise nginx catch all requests.)
so. the server is a fully accessible server 80 443 and many more, webserver, streaming server etc
and all works fine, except when I wanted to renew the certificate, it says something like this:
Invalid port in redirect target. Only ports 80 and 443 are supported, not 8111
8111 being the port to access the router remotely.
why certbot makes such a redirect?
of course since I have also vncserver setup on the server I can actually access the router locally through a browser, so I disabled the remote management of the router, just so I could update the certificate.. which works at first try (cannot use dns because it's a no-ip free domain so I cannot manage dns record for it)
Certbot does not make redirects. The Let's Encrypt validation server (and also not Certbot) simply starts by connecting to HTTP on port 80 and will follow any redirect it receives.
Your TP-Link router is probably messing up the external port 80 from the world wide web. Your router shouldn't be "open" to the internet at large in that way to begin with, especially as TP-Link is known for it's many, many vulnerabilities in their firmwares.
Certbot would not do a redirect. It is not even listening on port 80 unless you use the --standalone option. And, even then it would not redirect to anything.
It is difficult to give specific advice without knowing your domain name. This is a routing problem of some kind on your system. If you provide your domain we might be able to help identify where that is.
Or, try using Let's Debug site to locate what in your system sees the HTTP request on port 80 and redirects to 8111. https://letsdebug.net
the router isn't , the server connected to it is. and all services works fine.. ssh http https vncserver, sql rtmp ftp.. deluge, or whatever you can find on a server. After validating the cert , I enabled again the remote management on the same port and my site and all my apps works
thanks, I did, and saw the exact same thing than in the shell .
Sending an ACME HTTP validation request to xxx.ddns.net results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application.
Bad port number provided when fetching https://xxx.ddns.net:8111/.well-known/acme-challenge/letsdebug-test: 8111
Request to: xx.ddns.net/5.14.xxx.xxx, Result: [Address=5.14.xxx.xxx,Address Type=IPv4,Server=,HTTP Status=302,Number of Redirects=1,Final HTTP Status=302], Issue: BadRedirect
I don't think so because my system (server) is fine. First time I got a cert server was here, also behind a router (well an internet box) and never had an issue with this.
if I remove remote management with a specific port of the router it works. but that's not ideal, neither is it an explanation.
nmap -A -p80 5.14.xxx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-23 01:36 EET
Nmap scan report for 5-14-xxx-xxx.residential.rdsnet.ro (5.14.xxx.xxx)
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
80/tcp open http BusyBox http 1.19.4
|_http-title: Did not follow redirect to https://5-14-xxx-xxx.residential.rdsnet.ro:8111/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
so nmap doesn't follow the redirect but certbot does?
port 443
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx 1.24.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Restricted
|_http-server-header: nginx/1.24.0
|_http-title: 401 Authorization Required
| ssl-cert: Subject: commonName=example.ddns.net
| Subject Alternative Name: DNS:example.ddns.net
| Not valid before: 2024-12-22T17:05:19
|_Not valid after: 2025-03-22T17:05:18
site /webserver is protected with .htpasswd so that could be the reason.
